Re: Couple of newbie questions... (repost)

Mon, 06 Feb 2006 22:06:04 -0800 

Hello,

From: Matt Kettler <[EMAIL PROTECTED]>
Subject: Re: Couple of newbie questions... (repost)
Date: Mon, 06 Feb 2006 18:59:34 -0500

(snip...)

> Consider this porn spam:
> 
> Return-Path: <[EMAIL PROTECTED]>
> Received: from bgp01061386bgs.taylor01.mi.comcast.net
> (bgp01061386bgs.taylor01.mi.comcast.net [68.40.7.208])
>       by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id jBRAKsEn012564
>       for <[EMAIL PROTECTED]>; Tue, 27 Dec 2005 05:21:12 -0500

I have some ideas catching spams come from 'comcast.net' dynamic IP.

(1) updates 'HELO_DYNAMIC_COMCAST'

#---
header HELO_DYNAMIC_COMCAST2 X-Spam-Relays-Untrusted =~ 
/helo=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net .+ident= envfrom= intl=0 
.+auth= /
describe HELO_DYNAMIC_COMCAST2 Relay HELO'd using suspicious hostname (Comcast)
score HELO_DYNAMIC_COMCAST2 2.800 2.800 3.237 3.500
#---

In '20_fake_helo_tests.cf', HELO_DYNAMIC_COMCAST is obsolete, I think.
Comcast's FQDNs format are updated, almost all FQDNs are:

| $ host 68.40.7.208
| Name: c-68-40-7-208.hsd1.mi.comcast.net
| Address: 68.40.7.208


(2) make site-local rules

Ex.
All mails come to me are passed through receiver MTA 'mail.flcl.org'.
So, I writes:

#---
# Attention: Do not copy & paste below rules solely!
# You MUST re-write 'by=', your receiver MTA!
header DIRECTCOMCAST X-Spam-Relays-Untrusted =~ 
/rdns=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net .+ by=mail\.flcl\.org 
ident= envfrom= intl=0 .+auth= /
describe DIRECTCOMCAST directly received spam from COMCAST
score DIRECTCOMCAST 1.0

meta ___DCN RAZOR2_CHECK || PYZOR_CHECK || DCC_CHECK

meta DIRECTCOMCASTDCN ___DCN && DIRECTCOMCAST
score DIRECTCOMCASTDCN 3.5

meta DIRECTCOMCAST99 BAYES_99 && DIRECTCOMCAST
score DIRECTCOMCAST99 3.5

meta ___SURBL URIBL_AB_SURBL || URIBL_OB_SURBL || URIBL_PH_SURBL || 
URIBL_SC_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL || URIBL_SC2_SURBL || 
URIBL_XS_SURBL

meta DIRECTCOMCASTSURBL ___SURBL && DIRECTCOMCAST
score DIRECTCOMCASTSURBL 2.0
#---

First rule is detecting directly sent mail from dynamic IPs to my 
receiver MTA.
But, it's just a probability of spams.
So, I use meta rules for strictly detecting spams.

> Also, comcast's cablemodem users are the biggest problem, as they're readily
> infected by viruses. Comcast is usually fairly good about having RDNS for all 
> these.

But, almost all IPs on comcast.net are set FQDNs.
So, comcast.net's IPs are easier to decide whether dynamic IPs or not 
than asian ISPs IPs.
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:[EMAIL PROTECTED]
http://www.flcl.org/~yoh/diary/ (only Japanese)

Reply via email to